Secure cookies: Sets the secure flag on
cookies to tell browsers they must not be sent along with
http:// requests. Enabled by default. Set
config.ssl_options with secure_cookies: false to
disable this feature.

HTTP Strict Transport Security (HSTS): Tells the browser
to remember this site as TLS-only and automatically redirect non-TLS
requests. Enabled by default. Configure config.ssl_options
with hsts: false to disable.

Set config.ssl_options with hsts: { ... } to
configure HSTS:

expires: How long, in seconds, these settings will stick. The
minimum required to qualify for browser preload lists is 1 year. Defaults
to 1 year (recommended).

subdomains: Set to true to tell the browser to
apply these settings to all subdomains. This protects your cookies from
interception by a vulnerable site on a subdomain. Defaults to
true.

preload: Advertise that this site may be included in
browsers' preloaded HSTS lists. HSTS protects your site on every visit
except the first visit since it hasn't seen your HSTS header
yet. To close this gap, browser vendors include a baked-in list of
HSTS-enabled sites. Go to hstspreload.org to submit your site for
inclusion. Defaults to false.

To turn off HSTS, omitting the header is not enough. Browsers will remember
the original HSTS directive until it expires. Instead, use the header to
tell browsers to expire HSTS immediately. Setting hsts: false
is a shortcut for hsts: { expires: 0 }.